Hacker News new | past | comments | ask | show | jobs | submit login

I’ve accepted a bunch of dependabot PRs but I always review the change they make. Sometimes I modify or reject depending on the change.

All the ones I remember are just version bumps to address some vulnerability.

I thought dependabot commits were signed though. So just seeing a commit from a user named “dependabot” would actually be extra suspicious to me.




> I thought dependabot commits were signed though.

… nothing stops a dependabot impersonator from signing their commit.

(edit: the OP is rather confused on this point. While the commit could be signed, I don't know that in this case it could be signed in a way that Github would give it the green (Verified) bauble. The prose says the commit is signed, but the screenshot seems to suggest they're not. (Though they almost covered up the relevant area…))

You'd still have to notice that it's not coming from the real dependabot

> So just seeing a commit from a user named “dependabot” would actually be extra suspicious to me.

Short of hovering over the user's icon¹ (which should go to the app, not to a user) or reading the contest of the commit … I don't think a good impersonation would look different from the real deal in the history.

(Note that as others note: the commits here are already merged, via stolen PATs. You'd be trying to distinguish a malicious commit in your history from the real deal.)

¹actually, maybe they can't spoof the icon, since it's coming from a stolen PAT + the commit data isn't going to link up due to trying to spoof the name, which is why it's blank in the screencap. So that's a bit more of a giveaway, but I still think most people would be hard-pressed to notice.


Version bumps are often enough to own a repository. There are plenty of examples of a quickly pulled version that introduces a security hole, and a few where the maintainer [account] pushes then immediately hides a malicious point release.


Certainly. But that’s two vulnerabilities and usually by different groups.

So that’s a pretty sophisticated group to pwn a package and the submit all the dependabot version bumps.

Not impossible, but less likely. And I don’t blindly accept version bumps as I read the associated CVE and see if I need it. And I think it’s pretty rare for major packages to get compromised. When pandas or numpy get breached, I think I’ll hear about it way before I accept a depdabot PR to change my version.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: